-/* $Id: cfparse.y,v 1.37.2.7 2006/02/02 14:37:17 vanhu Exp $ */
+/* $NetBSD: cfparse.y,v 1.18.4.3 2007/08/01 11:52:19 vanhu Exp $ */
+
+/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
%{
/*
#include <netdb.h>
#include <pwd.h>
#include <grp.h>
+#include <signal.h>
#include "var.h"
#include "misc.h"
#include "genlist.h"
#include "debug.h"
-#include "admin.h"
-#include "privsep.h"
#include "cfparse_proto.h"
#include "cftoken_proto.h"
#include "algorithm.h"
#include "isakmp_var.h"
#include "handler.h"
#include "isakmp.h"
+#include "nattraversal.h"
+#include "isakmp_frag.h"
+#include "session.h"
#ifdef ENABLE_HYBRID
+#include "isakmp_unity.h"
#include "isakmp_xauth.h"
#include "isakmp_cfg.h"
#endif
#include "ipsec_doi.h"
#include "strnames.h"
#include "gcmalloc.h"
-#ifdef HAVE_GSSAPI
-#include "gssapi.h"
-#endif
#include "vendorid.h"
-#include "rsalist.h"
-
+#include "ipsecConfigTracer.h"
+#include "ipsecMessageTracer.h"
static int num2dhgroup[] = {
0,
OAKLEY_ATTR_GRP_DESC_MODP8192
};
+struct remote_index_val {
+ int prefix;
+ struct sockaddr_storage *addr;
+};
+
static struct remoteconf *cur_rmconf;
static int tmpalgtype[MAXALGCLASS];
static struct sainfo *cur_sainfo;
static int cur_algclass;
-static struct proposalspec *newprspec __P((void));
-static void insprspec __P((struct proposalspec *, struct proposalspec **));
-static struct secprotospec *newspspec __P((void));
-static void insspspec __P((struct secprotospec *, struct proposalspec **));
-static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
+static struct proposalspec *newprspec (void);
+static void insprspec (struct proposalspec *, struct proposalspec **);
+static struct secprotospec *newspspec (void);
+static void insspspec (struct secprotospec *, struct proposalspec **);
-static int set_isakmp_proposal
- __P((struct remoteconf *, struct proposalspec *));
-static void clean_tmpalgtype __P((void));
-static int expand_isakmpspec __P((int, int, int *,
- int, int, time_t, int, int, int, char *, struct remoteconf *));
-static int listen_addr __P((struct sockaddr *addr, int udp_encap));
+static int set_isakmp_proposal (struct remoteconf *, struct proposalspec *);
+static void clean_tmpalgtype (void);
+static int expand_isakmpspec (int, int, int *,
+ int, int, time_t, int, int, int, char *, struct remoteconf *);
+static int listen_addr (struct sockaddr_storage *addr, int udp_encap);
void freeetypes (struct etypes **etypes);
#if 0
-static int fix_lifebyte __P((u_long));
+static int fix_lifebyte (u_long);
#endif
%}
unsigned long num;
vchar_t *val;
struct remoteconf *rmconf;
- struct sockaddr *saddr;
+ struct sockaddr_storage *saddr;
struct sainfoalg *alg;
+ struct remote_index_val *rmidx;
}
- /* privsep */
-%token PRIVSEP USER GROUP CHROOT
/* path */
%token PATH PATHTYPE
/* include */
/* listen */
%token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
/* modecfg */
-%token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4
-%token CFG_AUTH_SOURCE CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LOCAL CFG_NONE
-%token CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
+%token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
+%token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
+%token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
+%token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
%token CFG_PFS_GROUP CFG_SAVE_PASSWD
/* timer */
%token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
/* algorithm */
%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
/* sainfo */
-%token SAINFO FROM
+%token SAINFO FROM GROUP
/* remote */
%token REMOTE ANONYMOUS INHERIT
%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
%token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
%token VERIFY_CERT SEND_CERT SEND_CR
-%token IDENTIFIERTYPE MY_IDENTIFIER PEERS_IDENTIFIER VERIFY_IDENTIFIER
+%token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
+%token PEERS_IDENTIFIER VERIFY_IDENTIFIER
+%token LOCAL_ADDRESS
%token SHARED_SECRET SECRETTYPE
%token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN
%token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
%token DNSSEC CERT_X509 CERT_PLAINRSA
%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
-%token NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL NAT_TRAVERSAL_MULTI_USER
+%token NAT_TRAVERSAL REMOTE_FORCE_LEVEL NAT_TRAVERSAL_LEVEL NAT_TRAVERSAL_MULTI_USER NAT_TRAVERSAL_KEEPALIVE
%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
-%token GENERATE_POLICY SUPPORT_PROXY
+%token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
%token PROPOSAL
%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
%token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
%token COMPLEX_BUNDLE
-%token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
-%token XAUTH_LOGIN
+%token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL DPD_ALGORITHM
+%token DISCONNECT_ON_IDLE IDLE_TIMEOUT IDLE_DIRECTION
+%token XAUTH_LOGIN WEAK_PHASE1_CHECK
%token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
-%token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH
-
-%token SCRIPT PHASE1_UP PHASE1_DOWN
+%token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
%token NUMBER SWITCH BOOLEAN
-%token HEXSTRING QUOTEDSTRING ADDRSTRING
+%token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
%token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
%token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
%token EOS BOC EOC COMMA
+%token DPD_ALGO_TYPE_DEFAULT DPD_ALGO_TYPE_INBOUND DPD_ALGO_TYPE_BLACKHOLE
+%token IDLE_DIRECTION_IN IDLE_DIRECTION_OUT IDLE_DIRECTION_ANY IKE_VERSION
%type <num> NUMBER BOOLEAN SWITCH keylength
-%type <num> PATHTYPE IDENTIFIERTYPE LOGLEV GSS_ID_ENCTYPE
+%type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
%type <num> SECRETTYPE
%type <num> ALGORITHM_CLASS dh_group_num
%type <num> ALGORITHMTYPE STRENGTHTYPE
%type <num> PREFIX prefix PORT port ike_port
%type <num> ul_proto UL_PROTO
%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
-%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL
+%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL
%type <num> VERIFICATION_MODULE VERIFICATION_OPTION
%type <num> unittype_time unittype_byte
-%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING sainfo_id
+%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
%type <val> identifierstring
-%type <saddr> remote_index ike_addrinfo_port
+%type <saddr> ike_addrinfo_port
%type <alg> algorithm
+%type <num> dpd_algo_type
+%type <num> idle_dir_type
+%type <rmidx> remote_index ike_addrinfo_prefix_port
%%
| statements statement
;
statement
- : privsep_statement
- | path_statement
+ : path_statement
| include_statement
- | gssenc_statement
| identifier_statement
| logging_statement
| padding_statement
| special_statement
;
- /* privsep */
-privsep_statement
- : PRIVSEP BOC privsep_stmts EOC
- ;
-privsep_stmts
- : /* nothing */
- | privsep_stmts privsep_stmt
- ;
-privsep_stmt
- : USER QUOTEDSTRING
- {
- struct passwd *pw;
-
- if ((pw = getpwnam($2->v)) == NULL) {
- yyerror("unkown user \"%s\"", $2->v);
- return -1;
- }
- lcconf->uid = pw->pw_uid;
- }
- EOS
- | USER NUMBER { lcconf->uid = $2; } EOS
- | GROUP QUOTEDSTRING
- {
- struct group *gr;
-
- if ((gr = getgrnam($2->v)) == NULL) {
- yyerror("unkown group \"%s\"", $2->v);
- return -1;
- }
- lcconf->gid = gr->gr_gid;
- }
- EOS
- | GROUP NUMBER { lcconf->gid = $2; } EOS
- | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
- ;
-
/* path */
path_statement
: PATH PATHTYPE QUOTEDSTRING
{
if ($2 >= LC_PATHTYPE_MAX) {
- yyerror("invalid path type %d", $2);
+ racoon_yyerror("invalid path type %d", $2);
return -1;
}
racoon_free(lcconf->pathinfo[$2]);
/* set new pathinfo */
- lcconf->pathinfo[$2] = strdup($3->v);
+ lcconf->pathinfo[$2] = racoon_strdup($3->v);
+ STRDUP_FATAL(lcconf->pathinfo[$2]);
vfree($3);
}
EOS
}
;
- /* gss_id_enc */
-gssenc_statement
- : GSS_ID_ENC GSS_ID_ENCTYPE EOS
- {
- if ($2 >= LC_GSSENC_MAX) {
- yyerror("invalid GSS ID encoding %d", $2);
- return -1;
- }
- lcconf->gss_id_enc = $2;
- }
- ;
-
- /* self infomation */
+ /* self information */
identifier_statement
: IDENTIFIER identifier_stmt
;
$2->l--; /* nuke '\0' */
lcconf->ident[$1] = $2;
if (lcconf->ident[$1] == NULL) {
- yyerror("failed to set my ident: %s",
+ racoon_yyerror("failed to set my ident: %s",
strerror(errno));
return -1;
}
: LOGGING log_level EOS
;
log_level
- : HEXSTRING
+ : QUOTEDSTRING
{
/*
* XXX ignore it because this specification
* will be obsoleted.
*/
- yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
+ plogsetlevelquotedstr($1->v);
vfree($1);
}
| LOGLEV
{
- /*
- * set the loglevel by configuration file only when
- * the command line did not specify any loglevel.
- */
- if (loglevel <= LLV_BASE)
- loglevel += $1;
+ plogsetlevel($1);
}
;
#ifdef ENABLE_NATT
listen_addr ($2, 1);
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
}
EOS
| X_ADMIN
{
- yyerror("admin directive is obsoleted.");
+ racoon_yyerror("admin directive is obsoleted.");
}
PORT EOS
| ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
{
-#ifdef ENABLE_ADMINPORT
- adminsock_conf($2, $3, $4, $5);
-#else
- yywarn("admin port support not compiled in");
-#endif
+ racoon_yywarn("admin port support not compiled in");
}
EOS
| ADMINSOCK QUOTEDSTRING
{
-#ifdef ENABLE_ADMINPORT
- adminsock_conf($2, NULL, NULL, -1);
-#else
- yywarn("admin port support not compiled in");
-#endif
+ racoon_yywarn("admin port support not compiled in");
}
EOS
| ADMINSOCK DISABLED
{
-#ifdef ENABLE_ADMINPORT
- adminsock_path = NULL;
-#else
- yywarn("admin port support not compiled in");
-#endif
+ racoon_yywarn("admin port support not compiled in");
}
EOS
| STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
return -1;
}
;
+ike_addrinfo_prefix_port
+ : ADDRSTRING prefix ike_port
+ {
+ char portbuf[10];
+ struct remote_index_val *new;
+
+ new = racoon_calloc(1, sizeof(*new));
+ if (new == NULL) {
+ racoon_yyerror("failed to allocate remote index struct");
+ vfree($1);
+ return -1;
+ }
+ snprintf(portbuf, sizeof(portbuf), "%ld", $3);
+ new->addr = str2saddr($1->v, portbuf);
+ vfree($1);
+ if (!new->addr) {
+ racoon_yyerror("failed to allocate sockaddr storage");
+ return -1;
+ }
+ new->prefix = $2;
+ $$ = new;
+ }
+ ;
ike_port
: /* nothing */ { $$ = PORT_ISAKMP; }
| PORT { $$ = $1; }
: CFG_NET4 ADDRSTRING
{
#ifdef ENABLE_HYBRID
- if (inet_pton(AF_INET, $2->v,
- &isakmp_cfg_config.network4) != 1)
- yyerror("bad IPv4 network address.");
+ if (inet_pton(AF_INET, $2->v,
+ &isakmp_cfg_config.network4) != 1)
+ racoon_yyerror("bad IPv4 network address.");
+ vfree($2);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef ENABLE_HYBRID
if (inet_pton(AF_INET, $2->v,
&isakmp_cfg_config.netmask4) != 1)
- yyerror("bad IPv4 netmask address.");
+ racoon_yyerror("bad IPv4 netmask address.");
+ vfree($2);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
- | CFG_DNS4 ADDRSTRING
+ | CFG_DNS4 addrdnslist
+ EOS
+ | CFG_NBNS4 addrwinslist
+ EOS
+ | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
{
#ifdef ENABLE_HYBRID
- if (inet_pton(AF_INET, $2->v,
- &isakmp_cfg_config.dns4) != 1)
- yyerror("bad IPv4 DNS address.");
+ isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
- | CFG_NBNS4 ADDRSTRING
+ | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
{
#ifdef ENABLE_HYBRID
- if (inet_pton(AF_INET, $2->v,
- &isakmp_cfg_config.nbns4) != 1)
- yyerror("bad IPv4 WINS address.");
+ isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
+#else
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_SPLIT_DNS splitdnslist
+ {
+#ifndef ENABLE_HYBRID
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_DEFAULT_DOMAIN QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+ strlcpy(&isakmp_cfg_config.default_domain[0],
+ $2->v, sizeof(isakmp_cfg_config.default_domain));
+ vfree($2);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
| CFG_AUTH_SOURCE CFG_RADIUS
{
#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
- isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
-#else /* HAVE_LIBRADIUS */
- yyerror("racoon not configured with --with-libradius");
-#endif /* HAVE_LIBRADIUS */
+ racoon_yyerror("racoon not configured with --with-libradius");
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
| CFG_AUTH_SOURCE CFG_PAM
{
#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBPAM
- isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
-#else /* HAVE_LIBPAM */
- yyerror("racoon not configured with --with-libpam");
-#endif /* HAVE_LIBPAM */
+ racoon_yyerror("racoon not configured with --with-libpam");
+#else /* ENABLE_HYBRID */
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_AUTH_SOURCE CFG_LDAP
+ {
+#ifdef ENABLE_HYBRID
+ racoon_yyerror("racoon not configured with --with-libldap");
+#else /* ENABLE_HYBRID */
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_AUTH_GROUPS authgrouplist
+ {
+#ifndef ENABLE_HYBRID
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_GROUP_SOURCE CFG_SYSTEM
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
+#else
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_GROUP_SOURCE CFG_LDAP
+ {
+#ifdef ENABLE_HYBRID
+ racoon_yyerror("racoon not configured with --with-libldap");
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_ACCOUNTING CFG_SYSTEM
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
+#else
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
| CFG_ACCOUNTING CFG_RADIUS
{
#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
- isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
-#else /* HAVE_LIBRADIUS */
- yyerror("racoon not configured with --with-libradius");
-#endif /* HAVE_LIBRADIUS */
+ racoon_yyerror("racoon not configured with --with-libradius");
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
| CFG_ACCOUNTING CFG_PAM
{
#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBPAM
- isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
-#else /* HAVE_LIBPAM */
- yyerror("racoon not configured with --with-libpam");
-#endif /* HAVE_LIBPAM */
+ racoon_yyerror("racoon not configured with --with-libpam");
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
| CFG_POOL_SIZE NUMBER
{
#ifdef ENABLE_HYBRID
- size_t len;
-
- isakmp_cfg_config.pool_size = $2;
-
- len = $2 * sizeof(*isakmp_cfg_config.port_pool);
- isakmp_cfg_config.port_pool = racoon_malloc(len);
- if (isakmp_cfg_config.port_pool == NULL)
- yyerror("cannot allocate memory for pool");
- bzero(isakmp_cfg_config.port_pool, len);
+ if (isakmp_cfg_resize_pool($2) != 0)
+ racoon_yyerror("cannot allocate memory for pool");
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
{
#ifdef ENABLE_HYBRID
isakmp_cfg_config.pfs_group = $2;
+ switch (isakmp_cfg_config.pfs_group)
+ {
+ case OAKLEY_ATTR_GRP_DESC_MODP768:
+ case OAKLEY_ATTR_GRP_DESC_MODP1024:
+ case OAKLEY_ATTR_GRP_DESC_MODP1536:
+ case OAKLEY_ATTR_GRP_DESC_MODP2048:
+ case OAKLEY_ATTR_GRP_DESC_MODP3072:
+ case OAKLEY_ATTR_GRP_DESC_MODP4096:
+ case OAKLEY_ATTR_GRP_DESC_MODP6144:
+ case OAKLEY_ATTR_GRP_DESC_MODP8192:
+ break;
+ default:
+ racoon_yyerror("Invalid PFS group specified");
+ return -1;
+ break;
+ }
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.save_passwd = $2;
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.auth_throttle = $2;
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
#ifdef ENABLE_HYBRID
isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
| CFG_CONF_SOURCE CFG_RADIUS
{
#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
- isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
-#else /* HAVE_LIBRADIUS */
- yyerror("racoon not configured with --with-libradius");
-#endif /* HAVE_LIBRADIUS */
+ racoon_yyerror("racoon not configured with --with-libradius");
#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_CONF_SOURCE CFG_LDAP
+ {
+#ifdef ENABLE_HYBRID
+ racoon_yyerror("racoon not configured with --with-libldap");
+#else /* ENABLE_HYBRID */
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif /* ENABLE_HYBRID */
}
EOS
| CFG_MOTD QUOTEDSTRING
{
#ifdef ENABLE_HYBRID
- strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN);
- isakmp_cfg_config.motd[MAXPATHLEN] = '\0';
+ strlcpy(&isakmp_cfg_config.motd[0], $2->v, sizeof(isakmp_cfg_config.motd));
vfree($2);
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
;
+addrdnslist
+ : addrdns
+ | addrdns COMMA addrdnslist
+ ;
+addrdns
+ : ADDRSTRING
+ {
+#ifdef ENABLE_HYBRID
+ struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+ if (icc->dns4_index >= MAXNS) {
+ racoon_yyerror("No more than %d DNS", MAXNS);
+ return -1;
+ }
+ if (inet_pton(AF_INET, $1->v,
+ &icc->dns4[icc->dns4_index++]) != 1)
+ racoon_yyerror("bad IPv4 DNS address.");
+
+ vfree($1);
+#else
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ ;
+
+addrwinslist
+ : addrwins
+ | addrwins COMMA addrwinslist
+ ;
+addrwins
+ : ADDRSTRING
+ {
+#ifdef ENABLE_HYBRID
+ struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+ if (icc->nbns4_index >= MAXWINS) {
+ racoon_yyerror("No more than %d WINS", MAXWINS);
+ return -1;
+ }
+ if (inet_pton(AF_INET, $1->v,
+ &icc->nbns4[icc->nbns4_index++]) != 1)
+ racoon_yyerror("bad IPv4 WINS address.");
+
+ vfree($1);
+#else
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ ;
+
+splitnetlist
+ : splitnet
+ | splitnetlist COMMA splitnet
+ ;
+splitnet
+ : ADDRSTRING PREFIX
+ {
+#ifdef ENABLE_HYBRID
+ struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+ struct unity_network network;
+
+ if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
+ racoon_yyerror("bad IPv4 SPLIT address.");
+
+ /* Turn $2 (the prefix) into a subnet mask */
+ network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
+
+ /* add the network to our list */
+ if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
+ racoon_yyerror("Unable to allocate split network");
+
+ vfree($1);
+#else
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ ;
+
+authgrouplist
+ : authgroup
+ | authgroup COMMA authgrouplist
+ ;
+authgroup
+ : QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+ char * groupname = NULL;
+ char ** grouplist = NULL;
+ struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+ grouplist = racoon_realloc(icc->grouplist,
+ sizeof(char**)*(icc->groupcount+1));
+ if (grouplist == NULL)
+ racoon_yyerror("unable to allocate auth group list");
+
+ groupname = racoon_malloc($1->l+1);
+ if (groupname == NULL)
+ racoon_yyerror("unable to allocate auth group name");
+
+ memcpy(groupname,$1->v,$1->l);
+ groupname[$1->l]=0;
+ grouplist[icc->groupcount]=groupname;
+ icc->grouplist = grouplist;
+ icc->groupcount++;
+
+ vfree($1);
+#else
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ ;
+
+splitdnslist
+ : splitdns
+ | splitdns COMMA splitdnslist
+ ;
+splitdns
+ : QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+ struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+ if (!icc->splitdns_len)
+ {
+ icc->splitdns_list = racoon_malloc($1->l);
+ if(icc->splitdns_list == NULL)
+ racoon_yyerror("error allocating splitdns list buffer");
+ memcpy(icc->splitdns_list,$1->v,$1->l);
+ icc->splitdns_len = $1->l;
+ }
+ else
+ {
+ int len = icc->splitdns_len + $1->l + 1;
+ icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
+ if(icc->splitdns_list == NULL)
+ racoon_yyerror("error allocating splitdns list buffer");
+ icc->splitdns_list[icc->splitdns_len] = ',';
+ memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
+ icc->splitdns_len = len;
+ }
+ vfree($1);
+#else
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ ;
+
+
/* timer */
timer_statement
: RETRY BOC timer_stmts EOC
#ifdef ENABLE_NATT
lcconf->natt_ka_interval = $2 * $3;
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
}
EOS
sainfo_statement
: SAINFO
{
- cur_sainfo = newsainfo();
+ cur_sainfo = create_sainfo();
if (cur_sainfo == NULL) {
- yyerror("failed to allocate sainfo");
+ racoon_yyerror("failed to allocate sainfo");
return -1;
}
}
- sainfo_name sainfo_peer BOC sainfo_specs
+ sainfo_name sainfo_param BOC sainfo_specs
{
struct sainfo *check;
/* default */
if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
- yyerror("no encryption algorithm at %s",
+ racoon_yyerror("no encryption algorithm at %s",
sainfo2str(cur_sainfo));
return -1;
}
if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
- yyerror("no authentication algorithm at %s",
+ racoon_yyerror("no authentication algorithm at %s",
sainfo2str(cur_sainfo));
return -1;
}
if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
- yyerror("no compression algorithm at %s",
+ racoon_yyerror("no compression algorithm at %s",
sainfo2str(cur_sainfo));
return -1;
}
/* duplicate check */
check = getsainfo(cur_sainfo->idsrc,
cur_sainfo->iddst,
- cur_sainfo->id_i);
+ cur_sainfo->id_i, 0);
if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
- yyerror("duplicated sainfo: %s",
+ racoon_yyerror("duplicated sainfo: %s",
sainfo2str(cur_sainfo));
return -1;
}
cur_sainfo->idsrc = NULL;
cur_sainfo->iddst = NULL;
}
+ | ANONYMOUS sainfo_id
+ {
+ cur_sainfo->idsrc = NULL;
+ cur_sainfo->iddst = $2;
+ }
+ | sainfo_id ANONYMOUS
+ {
+ cur_sainfo->idsrc = $1;
+ cur_sainfo->iddst = NULL;
+ }
| sainfo_id sainfo_id
{
cur_sainfo->idsrc = $1;
: IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
{
char portbuf[10];
- struct sockaddr *saddr;
+ struct sockaddr_storage *saddr;
if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
&& ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
- yyerror("port number must be \"any\".");
+ racoon_yyerror("port number must be \"any\".");
return -1;
}
if (saddr == NULL)
return -1;
- switch (saddr->sa_family) {
+ switch (saddr->ss_family) {
case AF_INET:
if ($5 == IPPROTO_ICMPV6) {
- yyerror("upper layer protocol mismatched.\n");
+ racoon_yyerror("upper layer protocol mismatched.\n");
racoon_free(saddr);
return -1;
}
$$ = ipsecdoi_sockaddr2id(saddr,
-#if 0
- $3 == (sizeof(struct in_addr) << 3) &&
- $1 == IDTYPE_ADDRESS
- ? ~0 : $3,
-#else
- $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
-#endif
- $5);
+ $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
+ $5);
break;
#ifdef INET6
case AF_INET6:
if ($5 == IPPROTO_ICMP) {
- yyerror("upper layer protocol mismatched.\n");
+ racoon_yyerror("upper layer protocol mismatched.\n");
racoon_free(saddr);
return -1;
}
- $$ = ipsecdoi_sockaddr2id(saddr,
-#if 0
- $3 == (sizeof(struct in6_addr) << 3) &&
- $1 == IDTYPE_ADDRESS
- ? ~0 : $3,
-#else
- $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
-#endif
- $5);
+ $$ = ipsecdoi_sockaddr2id(saddr,
+ $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
+ $5);
break;
#endif
default:
- yyerror("invalid family: %d", saddr->sa_family);
+ racoon_yyerror("invalid family: %d", saddr->ss_family);
$$ = NULL;
break;
}
if ($$ == NULL)
return -1;
}
+ | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
+ {
+ char portbuf[10];
+ struct sockaddr_storage *laddr = NULL, *haddr = NULL;
+
+ if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
+ && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
+ racoon_yyerror("port number must be \"any\".");
+ return -1;
+ }
+
+ snprintf(portbuf, sizeof(portbuf), "%lu", $5);
+
+ laddr = str2saddr($2->v, portbuf);
+ if (laddr == NULL) {
+ return -1;
+ }
+ vfree($2);
+ haddr = str2saddr($3->v, portbuf);
+ if (haddr == NULL) {
+ racoon_free(laddr);
+ return -1;
+ }
+ vfree($3);
+
+ switch (laddr->ss_family) {
+ case AF_INET:
+ if ($6 == IPPROTO_ICMPV6) {
+ racoon_yyerror("upper layer protocol mismatched.\n");
+ if (laddr)
+ racoon_free(laddr);
+ if (haddr)
+ racoon_free(haddr);
+ return -1;
+ }
+ $$ = ipsecdoi_sockrange2id(laddr, haddr,
+ $6);
+ break;
+#ifdef INET6
+ case AF_INET6:
+ if ($6 == IPPROTO_ICMP) {
+ racoon_yyerror("upper layer protocol mismatched.\n");
+ if (laddr)
+ racoon_free(laddr);
+ if (haddr)
+ racoon_free(haddr);
+ return -1;
+ }
+ $$ = ipsecdoi_sockrange2id(laddr, haddr,
+ $6);
+ break;
+#endif
+ default:
+ racoon_yyerror("invalid family: %d", laddr->ss_family);
+ $$ = NULL;
+ break;
+ }
+ if (laddr)
+ racoon_free(laddr);
+ if (haddr)
+ racoon_free(haddr);
+ if ($$ == NULL)
+ return -1;
+ }
| IDENTIFIERTYPE QUOTEDSTRING
{
struct ipsecdoi_id_b *id_b;
if ($1 == IDTYPE_ASN1DN) {
- yyerror("id type forbidden: %d", $1);
+ racoon_yyerror("id type forbidden: %d", $1);
$$ = NULL;
return -1;
}
$$ = vmalloc(sizeof(*id_b) + $2->l);
if ($$ == NULL) {
- yyerror("failed to allocate identifier");
+ racoon_yyerror("failed to allocate identifier");
return -1;
}
- id_b = (struct ipsecdoi_id_b *)$$->v;
+ id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)$$->v;
id_b->type = idtype2doi($1);
id_b->proto_id = 0;
memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
}
;
-sainfo_peer
+sainfo_param
: /* nothing */
{
cur_sainfo->id_i = NULL;
vchar_t *idv;
if (set_identifier(&idv, $2, $3) != 0) {
- yyerror("failed to set identifer.\n");
+ racoon_yyerror("failed to set identifer.\n");
return -1;
}
cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
if (cur_sainfo->id_i == NULL) {
- yyerror("failed to allocate identifier");
+ racoon_yyerror("failed to allocate identifier");
return -1;
}
- id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
+ id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
id_b->type = idtype2doi($2);
id_b->proto_id = 0;
idv->v, idv->l);
vfree(idv);
}
+ | GROUP QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+ if ((cur_sainfo->group = vdup($2)) == NULL) {
+ racoon_yyerror("failed to set sainfo xauth group.\n");
+ return -1;
+ }
+#else
+ racoon_yyerror("racoon not configured with --enable-hybrid");
+ return -1;
+#endif
+ }
;
sainfo_specs
: /* nothing */
: PFS_GROUP dh_group_num
{
cur_sainfo->pfs_group = $2;
+ switch (cur_sainfo->pfs_group)
+ {
+ case OAKLEY_ATTR_GRP_DESC_MODP768:
+ case OAKLEY_ATTR_GRP_DESC_MODP1024:
+ case OAKLEY_ATTR_GRP_DESC_MODP1536:
+ case OAKLEY_ATTR_GRP_DESC_MODP2048:
+ case OAKLEY_ATTR_GRP_DESC_MODP3072:
+ case OAKLEY_ATTR_GRP_DESC_MODP4096:
+ case OAKLEY_ATTR_GRP_DESC_MODP6144:
+ case OAKLEY_ATTR_GRP_DESC_MODP8192:
+ break;
+ default:
+ racoon_yyerror("Invalid PFS group specified");
+ return -1;
+ break;
+ }
}
EOS
| LIFETIME LIFETYPE_TIME NUMBER unittype_time
| LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
{
#if 1
- yyerror("byte lifetime support is deprecated");
+ racoon_yyerror("byte lifetime support is deprecated");
return -1;
#else
cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
algorithms EOS
| IDENTIFIER IDENTIFIERTYPE
{
- yyerror("it's deprecated to specify a identifier in phase 2");
+ racoon_yyerror("it's deprecated to specify a identifier in phase 2");
}
EOS
| MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
{
- yyerror("it's deprecated to specify a identifier in phase 2");
+ racoon_yyerror("it's deprecated to specify a identifier in phase 2");
}
EOS
;
$$ = newsainfoalg();
if ($$ == NULL) {
- yyerror("failed to get algorithm allocation");
+ racoon_yyerror("failed to get algorithm allocation");
return -1;
}
$$->alg = algtype2doi(cur_algclass, $1);
if ($$->alg == -1) {
- yyerror("algorithm mismatched");
+ racoon_yyerror("algorithm mismatched");
racoon_free($$);
$$ = NULL;
return -1;
defklen = default_keylen(cur_algclass, $1);
if (defklen == 0) {
if ($2) {
- yyerror("keylen not allowed");
+ racoon_yyerror("keylen not allowed");
racoon_free($$);
$$ = NULL;
return -1;
}
} else {
if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
- yyerror("invalid keylen %d", $2);
+ racoon_yyerror("invalid keylen %d", $2);
racoon_free($$);
$$ = NULL;
return -1;
int b = algtype2doi(cur_algclass, $1);
if (a == IPSECDOI_ATTR_AUTH)
a = IPSECDOI_PROTO_IPSEC_AH;
- yyerror("algorithm %s not supported by the kernel (missing module?)",
+ racoon_yyerror("algorithm %s not supported by the kernel (missing module?)",
s_ipsecdoi_trns(a, b));
racoon_free($$);
$$ = NULL;
struct remoteconf *new;
struct proposalspec *prspec;
- new = copyrmconf($4);
+ new = copyrmconf($4->addr);
if (new == NULL) {
- yyerror("failed to get remoteconf for %s.", saddr2str ($4));
+ racoon_yyerror("failed to get remoteconf for %s.", saddr2str((struct sockaddr *)$4));
+ racoon_free($2->addr);
+ racoon_free($2);
+ racoon_free($4->addr);
+ racoon_free($4);
return -1;
}
- new->remote = $2;
- new->inherited_from = getrmconf_strict($4, 1);
+ new->remote = $2->addr;
+ new->remote_prefix = ($2->prefix == ~0 ? 0 : $2->prefix);
+ new->inherited_from = getrmconf_strict($4->addr, 1);
new->proposal = NULL;
new->prhead = NULL;
cur_rmconf = new;
+ racoon_free($2);
+ racoon_free($4->addr);
+ racoon_free($4);
prspec = newprspec();
if (prspec == NULL || !cur_rmconf->inherited_from
struct remoteconf *new;
struct proposalspec *prspec;
- new = newrmconf();
+ new = create_rmconf();
if (new == NULL) {
- yyerror("failed to get new remoteconf.");
+ racoon_yyerror("failed to get new remoteconf.");
+ racoon_free($2->addr);
+ racoon_free($2);
return -1;
}
-
- new->remote = $2;
+ new->remote = $2->addr;
+ new->remote_prefix = ($2->prefix == ~0 ? 0 : $2->prefix);
cur_rmconf = new;
+ racoon_free($2);
prspec = newprspec();
if (prspec == NULL)
{
/* check a exchange mode */
if (cur_rmconf->etypes == NULL) {
- yyerror("no exchange mode specified.\n");
+ racoon_yyerror("no exchange mode specified.\n");
return -1;
}
if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
- if (cur_rmconf->mycertfile
-#ifdef __APPLE__
- || cur_rmconf->identity_in_keychain)
-#endif
+ if (cur_rmconf->identity_in_keychain)
{
if (cur_rmconf->idv)
- yywarn("Both CERT and ASN1 ID "
+ racoon_yywarn("Both CERT and ASN1 ID "
"are set. Hope this is OK.\n");
/* TODO: Preparse the DN here */
} else if (cur_rmconf->idv) {
/* OK, using asn1dn without X.509. */
} else {
- yyerror("ASN1 ID not specified "
+ racoon_yyerror("ASN1 ID not specified "
"and no CERT defined!\n");
return -1;
}
}
-
-#ifdef __APPLE__
+
if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) {
struct genlist_entry *gpb;
if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) {
- yyerror("peers_identifier required for specified certificate "
+ racoon_yyerror("peers_identifier required for specified certificate "
"verification option.\n");
return -1;
}
}
-#endif
if (cur_rmconf->prhead->spspec == NULL
&& cur_rmconf->inherited_from
if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0)
return -1;
- /* DH group settting if aggressive mode is there. */
+ /* DH group setting if aggressive mode or IKEv2. */
if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
struct isakmpsa *p;
int b = 0;
b = p->dh_group;
continue;
}
- yyerror("DH group must be equal "
+ racoon_yyerror("DH group must be equal "
"in all proposals "
"when aggressive mode is "
"used.\n");
cur_rmconf->dh_group = b;
if (cur_rmconf->dh_group == 0) {
- yyerror("DH group must be set in the proposal.\n");
+ racoon_yyerror("DH group must be set in the proposal.\n");
return -1;
}
/* DH group settting if PFS is required. */
if (oakley_setdhgroup(cur_rmconf->dh_group,
&cur_rmconf->dhgrp) < 0) {
- yyerror("failed to set DH value.\n");
+ racoon_yyerror("failed to set DH value.\n");
return -1;
}
}
remote_index
: ANONYMOUS ike_port
{
- $$ = newsaddr(sizeof(struct sockaddr));
- $$->sa_family = AF_UNSPEC;
- ((struct sockaddr_in *)$$)->sin_port = htons($2);
- }
- | ike_addrinfo_port
+
+ struct remote_index_val *new;
+
+ new = racoon_calloc(1, sizeof(*new));
+ if (new == NULL) {
+ racoon_yyerror("failed to allocate remote index struct");
+ return -1;
+ }
+ new->addr = newsaddr(sizeof(struct sockaddr_storage));
+ if (new->addr == NULL) {
+ racoon_yyerror("failed to allocate sockaddr storage");
+ racoon_free(new);
+ return -1;
+ }
+ new->addr->ss_family = AF_UNSPEC;
+ (ALIGNED_CAST(struct sockaddr_in *)new->addr)->sin_port = htons($2);
+ new->prefix = ~0;
+ $$ = new;
+ }
+ | ike_addrinfo_prefix_port
{
$$ = $1;
if ($$ == NULL) {
- yyerror("failed to allocate sockaddr");
+ racoon_yyerror("failed to allocate sockaddr_storage");
return -1;
}
}
exchange_types EOS
| DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
| SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
+ | IKE_VERSION NUMBER
+ {
+ if ($2 == 1)
+ cur_rmconf->ike_version = ISAKMP_VERSION_NUMBER_IKEV1;
+ else {
+ racoon_yyerror("invalid IKE version specified.\n");
+ return -1;
+ }
+ } EOS
| CERTIFICATE_TYPE cert_spec
- | PEERS_CERTFILE QUOTEDSTRING
- {
- yywarn("This directive without certtype will be removed!\n");
- yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
- cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
- cur_rmconf->peerscertfile = strdup($2->v);
- vfree($2);
- }
- EOS
- | CA_TYPE CERT_X509 QUOTEDSTRING
- {
- cur_rmconf->cacerttype = $2;
- cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
- cur_rmconf->cacertfile = strdup($3->v);
- vfree($3);
- }
- EOS
- | PEERS_CERTFILE CERT_X509 QUOTEDSTRING
- {
- cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
- cur_rmconf->peerscertfile = strdup($3->v);
- vfree($3);
- }
- EOS
- | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
- {
- char path[MAXPATHLEN];
- int ret = 0;
-
- getpathname(path, sizeof(path),
- LC_PATHTYPE_CERT, $3->v);
- vfree($3);
-
- if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) {
- yyerror("Different peers_certfile method "
- "already defined: %d!\n",
- cur_rmconf->getcert_method);
- return -1;
- }
- cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
- if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) {
- yyerror("Couldn't parse keyfile.\n", path);
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path);
- }
- EOS
- | PEERS_CERTFILE DNSSEC
- {
- if (cur_rmconf->getcert_method) {
- yyerror("Different peers_certfile method already defined!\n");
- return -1;
- }
- cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
- cur_rmconf->peerscertfile = NULL;
- }
- EOS
| VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
| SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
| SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
| CERTIFICATE_VERIFICATION VERIFICATION_MODULE
{
-#ifdef __APPLE__
cur_rmconf->cert_verification = $2;
-#else
- yyerror("Apple specific features not compiled in.");
- return -1;
-#endif
} EOS
| CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
- {
-#ifdef __APPLE__
+ {
cur_rmconf->cert_verification = $2;
cur_rmconf->cert_verification_option = $3;
-#else
- yyerror("Apple specific features not compiled in.");
- return -1;
-#endif
}
EOS
| OPEN_DIR_AUTH_GROUP QUOTEDSTRING
{
-#ifdef __APPLE__
+#if HAVE_OPENDIR
cur_rmconf->open_dir_auth_group = $2;
#else
- yyerror("Apple specific features not compiled in.");
+ racoon_yyerror("Apple specific features not compiled in.");
return -1;
#endif
} EOS
| MY_IDENTIFIER IDENTIFIERTYPE identifierstring
{
if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
- yyerror("failed to set identifer.\n");
+ racoon_yyerror("failed to set identifer.\n");
vfree($3); //%%% BUG FIX - memory leak
return -1;
}
cur_rmconf->idvtype = $2;
}
EOS
+ | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
+ {
+ if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
+ racoon_yyerror("failed to set identifer.\n");
+ return -1;
+ }
+ cur_rmconf->idvtype = $2;
+ }
+ EOS
| XAUTH_LOGIN identifierstring
{
#ifdef ENABLE_HYBRID
/* formerly identifier type login */
- cur_rmconf->idvtype = IDTYPE_LOGIN;
- if (set_identifier(&cur_rmconf->idv, IDTYPE_LOGIN, $2) != 0) {
- yyerror("failed to set identifer.\n");
+ if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
+ racoon_yyerror("failed to allocate xauth state\n");
return -1;
}
- /* cur_rmconf->use_xauth = 1; */
+ if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
+ racoon_yyerror("failed to set identifer.\n");
+ return -1;
+ }
+ vfree($2); //%%% BUG FIX - memory leak
#else
- yyerror("racoon not configured with --enable-hybrid");
+ racoon_yyerror("racoon not configured with --enable-hybrid");
#endif
}
EOS
struct idspec *id;
id = newidspec();
if (id == NULL) {
- yyerror("failed to allocate idspec");
+ racoon_yyerror("failed to allocate idspec");
return -1;
}
if (set_identifier(&id->id, $2, $3) != 0) {
- yyerror("failed to set identifer.\n");
+ racoon_yyerror("failed to set identifer.\n");
racoon_free(id);
vfree($3); //%%% BUG FIX - memory leak
return -1;
genlist_append (cur_rmconf->idvl_p, id);
}
EOS
+ | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
+ {
+ struct idspec *id;
+ id = newidspec();
+ if (id == NULL) {
+ racoon_yyerror("failed to allocate idspec");
+ return -1;
+ }
+ if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
+ racoon_yyerror("failed to set identifer.\n");
+ racoon_free(id);
+ return -1;
+ }
+ id->idtype = $2;
+ genlist_append (cur_rmconf->idvl_p, id);
+ }
+ EOS
| VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
+ | LOCAL_ADDRESS ADDRSTRING
+ {
+ struct sockaddr_storage *saddr;
+ saddr = str2saddr($2->v, NULL);
+ vfree($2);
+ if (saddr == NULL)
+ return -1;
+ cur_rmconf->forced_local = saddr;
+ } EOS
| SHARED_SECRET SECRETTYPE QUOTEDSTRING
{
-#ifdef __APPLE__
cur_rmconf->secrettype = $2;
cur_rmconf->shared_secret = $3;
-#else
- yyerror("Apple specific features not compiled in.");
- return -1;
-#endif
} EOS
| SHARED_SECRET SECRETTYPE
{
-#ifdef __APPLE__
if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) {
- yyerror("shared secret value missing.\n");
+ racoon_yyerror("shared secret value missing.\n");
return -1;
}
cur_rmconf->secrettype = $2;
-#else
- yyerror("Apple specific features not compiled in.");
- return -1;
-#endif
-
} EOS
| NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
| DH_GROUP
{
- yyerror("dh_group cannot be defined here.");
+ racoon_yyerror("dh_group cannot be defined here.");
return -1;
}
dh_group_num EOS
| PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
| IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
+ | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
| ESP_FRAG NUMBER {
#ifdef SADB_X_EXT_NAT_T_FRAG
- cur_rmconf->esp_frag = $2;
+ if (libipsec_opt & LIBIPSEC_OPT_FRAG)
+ cur_rmconf->esp_frag = $2;
+ else
+ racoon_yywarn("libipsec lacks IKE frag support");
#else
- yywarn("Your kernel does not support esp_frag");
+ racoon_yywarn("Your kernel does not support esp_frag");
#endif
} EOS
- | SCRIPT QUOTEDSTRING PHASE1_UP {
- cur_rmconf->script[SCRIPT_PHASE1_UP] =
- script_path_add(vdup($2));
- } EOS
- | SCRIPT QUOTEDSTRING PHASE1_DOWN {
- cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
- script_path_add(vdup($2));
- } EOS
| MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
+ | WEAK_PHASE1_CHECK SWITCH {
+ cur_rmconf->weak_phase1_check = $2;
+ } EOS
| GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
+ | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
| SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
| INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
| NAT_TRAVERSAL SWITCH
#ifdef ENABLE_NATT
cur_rmconf->nat_traversal = $2;
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
} EOS
| NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL
#ifdef ENABLE_NATT
cur_rmconf->nat_traversal = $2;
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
} EOS
| NAT_TRAVERSAL_MULTI_USER SWITCH
{
#ifdef ENABLE_NATT
-#ifdef __APPLE__
cur_rmconf->natt_multiple_user = $2;
#else
- yyerror("Apple specific features not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
+ } EOS
+ | NAT_TRAVERSAL_KEEPALIVE SWITCH
+ {
+#ifdef ENABLE_NATT
+ cur_rmconf->natt_keepalive = $2;
#else
- yyerror("NAT-T support not compiled in.");
+ racoon_yyerror("NAT-T support not compiled in.");
#endif
- } EOS
- | DPD SWITCH
+ } EOS
+| DPD SWITCH
{
#ifdef ENABLE_DPD
cur_rmconf->dpd = $2;
#else
- yyerror("DPD support not compiled in.");
+ racoon_yyerror("DPD support not compiled in.");
#endif
} EOS
| DPD_DELAY NUMBER
#ifdef ENABLE_DPD
cur_rmconf->dpd_interval = $2;
#else
- yyerror("DPD support not compiled in.");
+ racoon_yyerror("DPD support not compiled in.");
#endif
}
EOS
#ifdef ENABLE_DPD
cur_rmconf->dpd_retry = $2;
#else
- yyerror("DPD support not compiled in.");
+ racoon_yyerror("DPD support not compiled in.");
#endif
}
EOS
#ifdef ENABLE_DPD
cur_rmconf->dpd_maxfails = $2;
#else
- yyerror("DPD support not compiled in.");
+ racoon_yyerror("DPD support not compiled in.");
#endif
}
EOS
+ | DPD_ALGORITHM dpd_algo_type
+ {
+#ifdef ENABLE_DPD
+ cur_rmconf->dpd_algo = $2;
+#else
+ racoon_yyerror("DPD support not compiled in.");
+#endif
+ }
+ EOS
+ | DISCONNECT_ON_IDLE IDLE_TIMEOUT NUMBER IDLE_DIRECTION idle_dir_type
+ {
+ cur_rmconf->idle_timeout = $3;
+ cur_rmconf->idle_timeout_dir = $5;
+ }
+ EOS
| LIFETIME LIFETYPE_TIME NUMBER unittype_time
{
cur_rmconf->prhead->lifetime = $3 * $4;
| LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
{
#if 1
- yyerror("byte lifetime support is deprecated in Phase1");
+ racoon_yyerror("byte lifetime support is deprecated in Phase 1");
return -1;
#else
- yywarn("the lifetime of bytes in phase 1 "
+ racoon_yywarn("the lifetime of bytes in phase 1 "
"will be ignored at the moment.");
cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4);
if (cur_rmconf->prhead->lifebyte == 0)
struct etypes *new;
new = racoon_malloc(sizeof(struct etypes));
if (new == NULL) {
- yyerror("filed to allocate etypes");
+ racoon_yyerror("failed to allocate etypes");
return -1;
}
new->type = $2;
}
;
cert_spec
- : CERT_X509 QUOTEDSTRING QUOTEDSTRING
+ : CERT_X509 IN_KEYCHAIN
{
- cur_rmconf->certtype = $1;
- cur_rmconf->mycertfile = strdup($2->v);
- vfree($2);
- cur_rmconf->myprivfile = strdup($3->v);
- vfree($3);
- }
- EOS
- | CERT_X509 IN_KEYCHAIN
- {
-#ifdef __APPLE__
cur_rmconf->certtype = $1;
cur_rmconf->identity_in_keychain = 1;
cur_rmconf->keychainCertRef = NULL;
-#endif
}
EOS
;
| CERT_X509 IN_KEYCHAIN QUOTEDSTRING
{
-#ifdef __APPLE__
-
cur_rmconf->certtype = $1;
cur_rmconf->identity_in_keychain = 1;
cur_rmconf->keychainCertRef = $3;
-#endif
- }
- EOS
- ;
- | CERT_PLAINRSA QUOTEDSTRING
- {
- char path[MAXPATHLEN];
- int ret = 0;
-
- getpathname(path, sizeof(path),
- LC_PATHTYPE_CERT, $2->v);
- vfree($2);
-
- cur_rmconf->certtype = $1;
- cur_rmconf->send_cr = FALSE;
- cur_rmconf->send_cert = FALSE;
- cur_rmconf->verify_cert = FALSE;
- if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) {
- yyerror("Couldn't parse keyfile.\n", path);
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path);
}
EOS
;
{
$$ = algtype2doi(algclass_isakmp_dh, $1);
if ($$ == -1) {
- yyerror("must be DH group");
+ racoon_yyerror("must be DH group");
return -1;
}
+ switch ($$)
+ {
+ case OAKLEY_ATTR_GRP_DESC_MODP768:
+ case OAKLEY_ATTR_GRP_DESC_MODP1024:
+ case OAKLEY_ATTR_GRP_DESC_MODP1536:
+ case OAKLEY_ATTR_GRP_DESC_MODP2048:
+ case OAKLEY_ATTR_GRP_DESC_MODP3072:
+ case OAKLEY_ATTR_GRP_DESC_MODP4096:
+ case OAKLEY_ATTR_GRP_DESC_MODP6144:
+ case OAKLEY_ATTR_GRP_DESC_MODP8192:
+ break;
+ default:
+ racoon_yyerror("Invalid DH group specified");
+ return -1;
+ break;
+ }
}
| NUMBER
{
if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
$$ = num2dhgroup[$1];
} else {
- yyerror("must be DH group");
+ racoon_yyerror("must be DH group");
$$ = 0;
return -1;
}
- }
+ switch ($$)
+ {
+ case OAKLEY_ATTR_GRP_DESC_MODP768:
+ case OAKLEY_ATTR_GRP_DESC_MODP1024:
+ case OAKLEY_ATTR_GRP_DESC_MODP1536:
+ case OAKLEY_ATTR_GRP_DESC_MODP2048:
+ case OAKLEY_ATTR_GRP_DESC_MODP3072:
+ case OAKLEY_ATTR_GRP_DESC_MODP4096:
+ case OAKLEY_ATTR_GRP_DESC_MODP6144:
+ case OAKLEY_ATTR_GRP_DESC_MODP8192:
+ break;
+ default:
+ racoon_yyerror("Invalid DH group specified");
+ return -1;
+ break;
+ }
+ }
;
identifierstring
: /* nothing */ { $$ = NULL; }
isakmpproposal_spec
: STRENGTH
{
- yyerror("strength directive is obsoleted.");
+ racoon_yyerror("strength directive is obsoleted.");
} STRENGTHTYPE EOS
| LIFETIME LIFETYPE_TIME NUMBER unittype_time
{
| LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
{
#if 1
- yyerror("byte lifetime support is deprecated");
+ racoon_yyerror("byte lifetime support is deprecated");
return -1;
#else
cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
| GSS_ID QUOTEDSTRING
{
if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) {
- yyerror("wrong Vendor ID for gssapi_id");
+ racoon_yyerror("wrong Vendor ID for gssapi_id");
return -1;
}
- cur_rmconf->prhead->spspec->gssid = strdup($2->v);
+ if (cur_rmconf->prhead->spspec->gssid != NULL)
+ racoon_free(cur_rmconf->prhead->spspec->gssid);
+ cur_rmconf->prhead->spspec->gssid =
+ racoon_strdup($2->v);
+ STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid);
}
EOS
| ALGORITHM_CLASS ALGORITHMTYPE keylength
{
int doi;
int defklen;
-
- doi = algtype2doi($1, $2);
- if (doi == -1) {
- yyerror("algorithm mismatched 1");
- return -1;
- }
+ {
+ doi = algtype2doi($1, $2);
+ if (doi == -1) {
+ racoon_yyerror("algorithm mismatched 1");
+ return -1;
+ }
+ }
switch ($1) {
case algclass_isakmp_enc:
/* reject suppressed algorithms */
-#ifndef HAVE_OPENSSL_RC5_H
- if ($2 == algtype_rc5) {
- yyerror("algorithm %s not supported",
- s_attr_isakmp_enc(doi));
- return -1;
- }
-#endif
-#ifndef HAVE_OPENSSL_IDEA_H
- if ($2 == algtype_idea) {
- yyerror("algorithm %s not supported",
- s_attr_isakmp_enc(doi));
- return -1;
- }
-#endif
-
cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi;
defklen = default_keylen($1, $2);
if (defklen == 0) {
if ($3) {
- yyerror("keylen not allowed");
+ racoon_yyerror("keylen not allowed");
return -1;
}
} else {
if ($3 && check_keylen($1, $2, $3) < 0) {
- yyerror("invalid keylen %d", $3);
+ racoon_yyerror("invalid keylen %d", $3);
return -1;
}
}
case algtype_gssapikrb:
if (cur_rmconf->prhead->spspec->vendorid !=
VENDORID_UNKNOWN) {
- yyerror("Vendor ID mismatch "
+ racoon_yyerror("Vendor ID mismatch "
"for auth method");
return -1;
}
cur_rmconf->prhead->spspec->vendorid =
VENDORID_GSSAPI;
break;
- case algtype_rsasig:
- if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) {
- if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
- yyerror ("Private PlainRSA key not set. "
- "Use directive 'certificate_type plainrsa ...'\n");
- return -1;
- }
- if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
- yyerror ("Public PlainRSA keys not set. "
- "Use directive 'peers_certfile plainrsa ...'\n");
- return -1;
- }
- }
- break;
default:
break;
}
break;
default:
- yyerror("algorithm mismatched 2");
+ racoon_yyerror("algorithm mismatched 2");
return -1;
}
}
| UNITTYPE_MBYTES { $$ = (1024 * 1024); }
| UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
;
+dpd_algo_type
+ : DPD_ALGO_TYPE_DEFAULT { $$ = DPD_ALGO_DEFAULT; }
+ | DPD_ALGO_TYPE_INBOUND { $$ = DPD_ALGO_INBOUND_DETECT; }
+ | DPD_ALGO_TYPE_BLACKHOLE { $$ = DPD_ALGO_BLACKHOLE_DETECT; }
+ ;
+idle_dir_type
+ : IDLE_DIRECTION_ANY { $$ = IPSEC_DIR_ANY; }
+ | IDLE_DIRECTION_IN { $$ = IPSEC_DIR_INBOUND; }
+ | IDLE_DIRECTION_OUT { $$ = IPSEC_DIR_OUTBOUND; }
+ ;
%%
static struct proposalspec *
new = racoon_calloc(1, sizeof(*new));
if (new == NULL)
- yyerror("failed to allocate proposal");
+ racoon_yyerror("failed to allocate proposal");
return new;
}
new = racoon_calloc(1, sizeof(*new));
if (new == NULL) {
- yyerror("failed to allocate spproto");
+ racoon_yyerror("failed to allocate spproto");
return NULL;
}
p = prspec;
if (p->next != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"multiple proposal definition.\n");
return -1;
}
/* mandatory check */
if (p->spspec == NULL) {
- yyerror("no remote specification found: %s.\n",
- saddr2str(rmconf->remote));
+ racoon_yyerror("no remote specification found: %s.\n",
+ saddr2str((struct sockaddr *)rmconf->remote));
return -1;
}
for (s = p->spspec; s != NULL; s = s->next) {
/* XXX need more to check */
if (s->algclass[algclass_isakmp_enc] == 0) {
- yyerror("encryption algorithm required.");
+ racoon_yyerror("encryption algorithm required.");
return -1;
}
if (s->algclass[algclass_isakmp_hash] == 0) {
- yyerror("hash algorithm required.");
- return -1;
+ racoon_yyerror("hash algorithm required.");
+ return -1;
}
if (s->algclass[algclass_isakmp_dh] == 0) {
- yyerror("DH group required.");
+ racoon_yyerror("DH group required.");
return -1;
}
if (s->algclass[algclass_isakmp_ameth] == 0) {
- yyerror("authentication method required.");
+ racoon_yyerror("authentication method required.");
return -1;
}
}
;
while (s != NULL) {
- plog(LLV_DEBUG2, LOCATION, NULL,
+ plog(ASL_LEVEL_DEBUG,
"lifetime = %ld\n", (long)
(s->lifetime ? s->lifetime : p->lifetime));
- plog(LLV_DEBUG2, LOCATION, NULL,
+ plog(ASL_LEVEL_DEBUG,
"lifebyte = %d\n",
s->lifebyte ? s->lifebyte : p->lifebyte);
- plog(LLV_DEBUG2, LOCATION, NULL,
+ plog(ASL_LEVEL_DEBUG,
"encklen=%d\n", s->encklen);
memset(types, 0, ARRAYLEN(types));
types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
- types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
+ types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
types[algclass_isakmp_ameth] =
s->algclass[algclass_isakmp_ameth];
s->encklen, s->vendorid, s->gssid,
rmconf);
if (trns_no == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"failed to expand isakmp proposal.\n");
return -1;
}
}
if (rmconf->proposal == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"no proposal found.\n");
return -1;
}
{
int j;
char tb[10];
- plog(LLV_DEBUG2, LOCATION, NULL,
+ plog(ASL_LEVEL_DEBUG,
"p:%d t:%d\n", prop_no, trns_no);
for (j = class; j < MAXALGCLASS; j++) {
snprintf(tb, sizeof(tb), "%d", types[j]);
- plog(LLV_DEBUG2, LOCATION, NULL,
+ plog(ASL_LEVEL_DEBUG,
"%s%s%s%s\n",
s_algtype(j, types[j]),
types[j] ? "(" : "",
tb[0] == '0' ? "" : tb,
types[j] ? ")" : "");
}
- plog(LLV_DEBUG2, LOCATION, NULL, "\n");
+ plog(ASL_LEVEL_DEBUG, "\n");
}
#define TMPALGTYPE2STR(n) \
/* check mandatory values */
if (types[algclass_isakmp_enc] == 0
|| types[algclass_isakmp_ameth] == 0
- || types[algclass_isakmp_hash] == 0
|| types[algclass_isakmp_dh] == 0) {
- yyerror("few definition of algorithm "
+ racoon_yyerror("few definition of algorithm "
"enc=%s ameth=%s hash=%s dhgroup=%s.\n",
TMPALGTYPE2STR(enc),
TMPALGTYPE2STR(ameth),
/* set new sa */
new = newisakmpsa();
if (new == NULL) {
- yyerror("failed to allocate isakmp sa");
+ racoon_yyerror("failed to allocate isakmp sa");
return -1;
}
new->prop_no = prop_no;
new->enctype = types[algclass_isakmp_enc];
new->encklen = encklen;
new->authmethod = types[algclass_isakmp_ameth];
- new->hashtype = types[algclass_isakmp_hash];
+ new->hashtype = types[algclass_isakmp_hash];
+ new->prf = types[algclass_isakmp_hash];
new->dh_group = types[algclass_isakmp_dh];
new->vendorid = vendorid;
-#ifdef HAVE_GSSAPI
- if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
- if (gssid != NULL) {
- new->gssid = vmalloc(strlen(gssid));
- memcpy(new->gssid->v, gssid, new->gssid->l);
- racoon_free(gssid);
- } else {
- /*
- * Allocate the default ID so that it gets put
- * into a GSS ID attribute during the Phase 1
- * exchange.
- */
- new->gssid = gssapi_get_default_gss_id();
- }
- }
-#endif
insisakmpsa(new, rmconf);
return trns_no;
}
static int
-listen_addr (struct sockaddr *addr, int udp_encap)
+listen_addr (struct sockaddr_storage *addr, int udp_encap)
{
struct myaddrs *p;
p = newmyaddr();
if (p == NULL) {
- yyerror("failed to allocate myaddrs");
+ racoon_yyerror("failed to allocate myaddrs");
return -1;
}
p->addr = addr;
if (p->addr == NULL) {
- yyerror("failed to copy sockaddr ");
+ racoon_yyerror("failed to copy sockaddr_storage ");
delmyaddr(p);
return -1;
}
p->udp_encap = udp_encap;
-#ifdef __APPLE__
/* These need to be initialized for Apple modifications
* to open code for isakmp sockets
*/
p->sock = -1;
p->in_use = 1;
-#endif
insmyaddr(p, &lcconf->myaddrs);
unsigned long t;
{
if (t < 1024) {
- yyerror("byte size should be more than 1024B.");
+ racoon_yyerror("byte size should be more than 1024B.");
return 0;
}
{
int error;
- plog(LLV_DEBUG, LOCATION, NULL, "===== parse config\n");
+ plog(ASL_LEVEL_DEBUG, "===== parsing configuration\n");
yycf_init_buffer();
- if (yycf_switch_buffer(lcconf->racoon_conf) != 0)
+ if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
+ IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
+ IPSECCONFIGEVENTCODE_PARSE_ERROR,
+ CONSTSTR("could not read configuration file"),
+ CONSTSTR("cfparse: yycf_switch_buffer erred"));
+ plog(ASL_LEVEL_ERR,
+ "could not read configuration file \"%s\"\n",
+ lcconf->racoon_conf);
return -1;
+ }
error = yyparse();
if (error != 0) {
if (yyerrorcount) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"fatal parse failure (%d errors)\n",
yyerrorcount);
} else {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"fatal parse failure.\n");
}
+ IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
+ IPSECCONFIGEVENTCODE_PARSE_ERROR,
+ CONSTSTR("fatal parse failure"),
+ CONSTSTR("cfparse: yyparse erred"));
+ yycf_clean_buffer();
return -1;
}
if (error == 0 && yyerrorcount) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(ASL_LEVEL_ERR,
"parse error is nothing, but yyerrorcount is %d.\n",
yyerrorcount);
+ IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
+ IPSECCONFIGEVENTCODE_PARSE_ERROR,
+ CONSTSTR("ambivalent error code"),
+ CONSTSTR("cfparse: error == 0 && yerrorcount"));
+ yycf_clean_buffer();
exit(1);
}
yycf_clean_buffer();
- plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
+ plog(ASL_LEVEL_DEBUG, "parse succeeded.\n");
return 0;
}
int
-cfreparse()
+cfreparse(int sig)
{
- plog(LLV_DEBUG, LOCATION, NULL, "==== Got HUP signal - re-parsing.\n");
- flushph2();
- flushph1();
+ int result;
+ int ignore_estab_or_assert_handles = (sig == SIGUSR1);
+
+ if (sig >= 0 && sig < NSIG) {
+ plog(ASL_LEVEL_DEBUG, "==== Got %s signal - re-parsing configuration.\n", sys_signame[sig]);
+ } else {
+ plog(ASL_LEVEL_ERR, "==== Got Unknown signal - re-parsing configuration.\n");
+ IPSECCONFIGTRACEREVENT(CONSTSTR("reparse"),
+ IPSECCONFIGEVENTCODE_REPARSE_ERROR,
+ CONSTSTR("Unknown signal"),
+ CONSTSTR("cfreparse: triggered by unknown signal"));
+ }
+ plog(ASL_LEVEL_DEBUG, "==== %s sessions.\n", ignore_estab_or_assert_handles? "flush negotiating" : "flush all");
+
+ ike_session_flush_all_phase2(ignore_estab_or_assert_handles);
+ ike_session_flush_all_phase1(ignore_estab_or_assert_handles);
flushrmconf();
flushsainfo();
- flushlcconf();
check_auto_exit(); /* check/change state of auto exit */
clean_tmpalgtype();
-
- return(cfparse());
+ savelcconf();
+ result = cfparse();
+ restorelcconf();
+ return result;
}
-#ifdef ENABLE_ADMINPORT
-static void
-adminsock_conf(path, owner, group, mode_dec)
- vchar_t *path;
- vchar_t *owner;
- vchar_t *group;
- int mode_dec;
-{
- struct passwd *pw = NULL;
- struct group *gr = NULL;
- mode_t mode = 0;
- uid_t uid;
- gid_t gid;
- int isnum;
-
- adminsock_path = path->v;
-
- if (owner == NULL)
- return;
-
- errno = 0;
- uid = atoi(owner->v);
- isnum = !errno;
- if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
- yyerror("User \"%s\" does not exist", owner->v);
-
- if (pw)
- adminsock_owner = pw->pw_uid;
- else
- adminsock_owner = uid;
-
- if (group == NULL)
- return;
-
- errno = 0;
- gid = atoi(group->v);
- isnum = !errno;
- if (((gr = getgrnam(group->v)) == NULL) && !isnum)
- yyerror("Group \"%s\" does not exist", group->v);
-
- if (gr)
- adminsock_group = gr->gr_gid;
- else
- adminsock_group = gid;
-
- if (mode_dec == -1)
- return;
-
- if (mode_dec > 777)
- yyerror("Mode 0%03o is invalid", mode_dec);
- if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
- if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
- if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
-
- if (mode_dec > 77)
- yyerror("Mode 0%03o is invalid", mode_dec);
- if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
- if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
- if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
-
- if (mode_dec > 7)
- yyerror("Mode 0%03o is invalid", mode_dec);
- if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
- if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
- if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
-
- adminsock_mode = mode;
-
- return;
-}
-#endif
projects / apple / ipsec.git / blobdiff